Diagnosis of GSI-OpenSSH Client Issues

No proxy found
Library error from ssh-keysign

Verifying your GSI configuration

As a first step, please run the following command to verify your GSI configuration:

sh$ grid-proxy-init -debug -verify

If you do not see 'Proxy Verify OK' in the output, there is a problem with your GSI configuration. For more information on configuring GSI, please see the Globus Toolkit security documentation.

Running the GSI-OpenSSH SSH client in debugging mode

The following information can be used to diagnose some common problems that you may be experiencing with the GSI-OpenSSH client. Each snippet of the client's output was taken from running it with the '-vvv' flag (which increases the debugging level to 3, the maximum):

sh$ $GLOBUS_LOCATION/bin/gsissh -vvv <remote host>

No proxy found

Failing to run grid-proxy-init to create a user proxy with which to connect will result in the client notifying you that no local credentials exist. Any attempt to authenticate using GSI will fail in this case.

debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1
debug1: Problem with local credentials
debug1: no proxy credentials: run grid-proxy-init or wgpi first
Function:proxy_pw_cb
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received

Fix: Verify that your GSI proxy has been properly initialized via 'grid-proxy-info'. If you need to initialize this proxy, use the command 'grid-proxy-init'.

Library error from ssh-keysign

If you install ssh-keysign setuid root for hostbased authentication, you may experience library errors, because LD_LIBRARY_PATH is ignored for setuid executables. You can fix it in one of the following ways:

Add the GSI libraries to the default system library search path (for example, by editing /etc/ld.so.conf and running ldconfig).
Build ssh-keysign statically with gpt-build -static.
Use ssh-keysign from a non-GSI build of OpenSSH.